[Bug 69706] New: Session persistence broken when persistAuthentication is turned on in tomcat 11.0.7

Wed, 04 Jun 2025 07:02:31 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69706

            Bug ID: 69706
           Summary: Session persistence broken when persistAuthentication
                    is turned on in tomcat 11.0.7
           Product: Tomcat 11
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Authentication
          Assignee: dev@tomcat.apache.org
          Reporter: mhartma...@gmx.net
  Target Milestone: -------

Session serialization fails between restarts of tomcat, when both of these
conditions are met:
        - persistAuthentication is turned on in context.xml (by line '<Manager
pathname="SESSIONS.ser" persistAuthentication="true"/>' ) 
        - Active _unauthenticated_ user sessions exist

Following the related stack trace from "catalina.${date}.log":

        java.io.NotSerializableException: java.util.OptionalInt
                at
java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1200)
                at
java.base/java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1585)
                at
java.base/java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1542)
                at
java.base/java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1451)
                at
java.base/java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1194)
                at
java.base/java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:358)
                at
org.apache.catalina.session.StandardSession.doWriteObject(StandardSession.java:1275)
                at
org.apache.catalina.session.StandardSession.writeObjectData(StandardSession.java:837)
                at
org.apache.catalina.session.StandardManager.unload(StandardManager.java:218)
                at
org.apache.catalina.session.StandardManager.stopInternal(StandardManager.java:285)
                at
org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:235)
                at
org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:4660)
                at
org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:235)
                at
org.apache.catalina.core.ContainerBase.removeChild(ContainerBase.java:626)
                at
org.apache.catalina.startup.HostConfig.undeploy(HostConfig.java:1439)
                at
org.apache.catalina.startup.HostConfig.checkResources(HostConfig.java:1348)
                at
org.apache.catalina.startup.HostConfig.check(HostConfig.java:1617)
                at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:263)
                at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:109)
                at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:940)
                at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1139)
                at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1143)
                at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1121)
                at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
                at
java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:358)
                at
java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
                at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
                at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
                at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:59)
                at java.base/java.lang.Thread.run(Thread.java:1583)

Note that org.apache.catalina.authenticator.SavedRequest does implement
java.io.Serializable, while its member variable originalMaxInactiveInterval of
type java.util.OptionalInt does _not_.
This has been changed at some point between tomcat version 11.0.1 and 11.0.7.
(Version 11.0.0 did not have this issue.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to